Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/off-by-one

Name: off-by-one
Author: apegurus

skills/vulnerability-patterns/off-by-one/SKILL.md

npx skillsauth add apegurus/solidity-argus off-by-one

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Off-By-One Errors

Preconditions

Contract uses loops with boundary conditions, comparison operators at thresholds, or array index calculations
The boundary/comparison is off by exactly one from the intended behavior

Vulnerable Pattern

// Skips the last element
function processAll() external {
    for (uint256 i = 0; i < users.length - 1; i++) {
        // Should be i < users.length
        // Last user is never processed
        _distribute(users[i]);
    }
}

// Off-by-one in threshold check
function liquidate(uint256 ratio) external {
    // Should be ratio < MIN_RATIO (liquidate when below)
    // Using <= means accounts AT the minimum are also liquidated
    require(ratio <= MIN_RATIO, "healthy");
    _liquidate();
}

// Out-of-bounds access
function getLastUser() external view returns (address) {
    return users[users.length]; // Should be users.length - 1
}

Detection Heuristics

For every loop, check the boundary condition: < length vs <= length vs < length - 1
< length - 1 skips the last element — flag unless intentional
<= length goes out of bounds on array access — flag always
For comparison operators at thresholds (>, >=, <, <=), verify the boundary matches the specification (e.g., "greater than" vs "greater than or equal to")
Check pagination logic for fence-post errors: does the first page start at 0 or 1? Does the last batch include the final element?
Look for length - 1 on arrays that could be empty — this underflows to type(uint256).max in unchecked contexts or reverts in checked contexts

False Positives

The boundary is intentionally exclusive (e.g., < length - 1 to skip the sentinel/last element by design)
The comparison operator matches the documented specification exactly
The code is iterating over pairs (i < length - 1 to compare arr[i] with arr[i+1])

Remediation

Verify each boundary condition against the specification or documented intent
Be explicit about inclusive vs exclusive bounds in comments
Guard against empty array underflow: check length > 0 before length - 1

function processAll() external {
    for (uint256 i = 0; i < users.length; i++) {
        _distribute(users[i]);
    }
}

// Explicit about boundary semantics
function liquidate(uint256 ratio) external {
    require(ratio < MIN_RATIO, "healthy"); // Strictly below = liquidatable
    _liquidate();
}

apegurus/off-by-one

skills/vulnerability-patterns/off-by-one/SKILL.md

- Contract uses loops with boundary conditions, comparison operators at thresholds, or array index calculations

tools

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus off-by-one

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:28 AM127.2s1 file scanned

SKILL.md

name:: off-by-one
description:: Boundary arithmetic near array length that can hide fence-post mistakes
pattern_category:: logic-error
- regex:: \.length\s*-\s*1
severity:: Low
confidence:: Low

Off-By-One Errors

Preconditions

Contract uses loops with boundary conditions, comparison operators at thresholds, or array index calculations
The boundary/comparison is off by exactly one from the intended behavior

Vulnerable Pattern

// Skips the last element
function processAll() external {
    for (uint256 i = 0; i < users.length - 1; i++) {
        // Should be i < users.length
        // Last user is never processed
        _distribute(users[i]);
    }
}

// Off-by-one in threshold check
function liquidate(uint256 ratio) external {
    // Should be ratio < MIN_RATIO (liquidate when below)
    // Using <= means accounts AT the minimum are also liquidated
    require(ratio <= MIN_RATIO, "healthy");
    _liquidate();
}

// Out-of-bounds access
function getLastUser() external view returns (address) {
    return users[users.length]; // Should be users.length - 1
}

Detection Heuristics

For every loop, check the boundary condition: < length vs <= length vs < length - 1
< length - 1 skips the last element — flag unless intentional
<= length goes out of bounds on array access — flag always
For comparison operators at thresholds (>, >=, <, <=), verify the boundary matches the specification (e.g., "greater than" vs "greater than or equal to")
Check pagination logic for fence-post errors: does the first page start at 0 or 1? Does the last batch include the final element?
Look for length - 1 on arrays that could be empty — this underflows to type(uint256).max in unchecked contexts or reverts in checked contexts

False Positives

The boundary is intentionally exclusive (e.g., < length - 1 to skip the sentinel/last element by design)
The comparison operator matches the documented specification exactly
The code is iterating over pairs (i < length - 1 to compare arr[i] with arr[i+1])

Remediation

Verify each boundary condition against the specification or documented intent
Be explicit about inclusive vs exclusive bounds in comments
Guard against empty array underflow: check length > 0 before length - 1

function processAll() external {
    for (uint256 i = 0; i < users.length; i++) {
        _distribute(users[i]);
    }
}

// Explicit about boundary semantics
function liquidate(uint256 ratio) external {
    require(ratio < MIN_RATIO, "healthy"); // Strictly below = liquidatable
    _liquidate();
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/off-by-one ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT